The situation is worse than expected for LastPass. The publisher of the famous password manager acknowledges that hackers have stolen personal and sensitive user data stored in encrypted safes…
The black series on successive LastPass hackers continues! As the investigation continues, the company shares its latest findings in a post on its support site. It appears that the cybercriminals were able to infiltrate the personal computer of an engineer-developer who had access to a cloud storage environment shared by only a handful of people from LastPass, and which obviously contained valuable information. In particular, there were the encryption keys allowing access to the backups of the customer safes, and the hackers did not hesitate to make copies.
To gain access to this computer, the cybercriminals exploited a vulnerability found in the Plex multimedia platform, which had been the victim of an attack some time earlier which resulted in the theft of 15 million passwords. They implanted malware of the type keylogger – keylogger – which recovered the technician’s password as it was entered. Since they used legitimate IDs, it was harder to spot their activity. Since then, LastPass has announced that it has updated its security policy, including regularly changing sensitive credentials and authentication tokens, and implementing stricter alerts.
LastPass: the contents of customer chests in the wild
After having stolen the source code of the application as well as information on its functioning, the hackers had again targeted L’astPass. If, at first, she had wanted to be reassuring, affirming that the passwords of her customers “remained securely encrypted”, the damage was actually greater than expected. As a reminder, password managers allow you to store all your essential passwords, payment information and login information in a highly encrypted database or vault. The user can access all of these with a single master password. Suffice to say that LastPass contains data of great value to hackers, especially with its 33 million individuals and its 100,000 companies – including major American media like the New York Times, CNN and Mashable.
At the end of December 2022, LastPass had put online a new blog post in order to share the progress of its investigation with its users, as the firm had promised. And the news was pretty bad, because it turned out that the hackers had indeed gained access to personal information and associated metadata, including usernames, those of the companies using the service, but also billing addresses, customer emails, IP addresses and phone numbers. Worse still, they had also managed to gain access to customer vaults, which contained encrypted data, including all website IDs and passwords – and their URLs – entered by the company’s customers, as well as security notes and form data, and backing up content. Just that ! Only small consolation: “There is no evidence that unencrypted credit card data was accessed. LastPass does not store full credit card numbers and credit card information is not archived in this cloud storage environment.”
A priori, most of the information should not be able to be exploited. “These encrypted fields remain secure with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture.” explained company boss Karim Toubba, referring to his security model which ensures that data is encrypted only on the user’s device, before it is synchronized with the service – in theory, if LastPass does not don’t know the data, neither do hackers. The company considered that there was therefore still no real risk for users. “It would take millions of years to guess your master password using common password cracking technology“, judged the company. The pirate “may attempt to use brute force to guess your master password and decrypt the copies of vault data it has taken“, but then again it would be difficult.
LastPass: a large-scale hack
But the worst was yet to come. Paddy Srinivasan, CEO of GoTo – the password software publisher – announced on January 23, 2023 in a blog post that last November’s hack actually extended far beyond LastPass. In addition to the latter, five services were also affected: the Pro and Central remote access tools, the join.me online meeting service, the Hamachi VPN server and the Remotly Anywhere remote access tool.
And that’s not all ! The hackers had managed to recover an encryption key for part of the backups stored with a cloud provider. They thus had access to several pieces of information, such as user names, encrypted passwords – they are therefore unreadable –, details on product licenses, information on their configuration and on multi-factor identification. The parent company, however, continued to hold a “reassuring” speech by asserting that no banking information had been stolen and that a number of people who had seen their data compromised was very limited. Affected customers have been contacted and their account passwords reset, while accounts have been moved to a new, more secure platform with improved identity management and stronger authentication.
LastPass hack: what are the risks for users?
After this massive data leak, LastPass had decided to strengthen its security by decommissioning the ongoing developments that hackers had access to, to start all over again. The company had also replaced and hardened developer machines, processes, and authentication mechanisms. She was also conducting an analysis of all accounts showing signs of suspicious activity. Other protective measures had also been taken.
In order to avoid any risk of credential stuffing – a technique which consists in carrying out, using software or manually, massive authentication attempts on web sites and services from username/password pairs – , LastPass had recommended that users change their primary password and those used for each associated account. Of course, they had to be strong and long, with numbers, letters and special characters. It was also better – whether there was a cyberattack or not – to strengthen the security of your account by activating two-factor authentication – also called multi-factor authentication. To do this, just follow the firm’s tutorial.
But if the passwords feared nothing a priori, it was more annoying with regard to the theft of personal data on the other hand. Indeed, hackers could use it to carry out phishing operations (phishing), in particular by posing as LastPass so that their victims voluntarily give them their main password. This is why the company reminded that it will never call its customers, and will never send them e-mails or text messages asking them to click on a link in order to verify their personal information. Other than logging into their vault from a LastPass client, it will never ask them for their master password.
LastPass: two successive cyberattacks
Normally, using a password manager is a good way to protect personal accounts and information – and to remember them. But due to the sensitive data they contain, these tools are often targeted by hacking attempts. At the beginning of August, the editor of the LastPass password manager had detected traces “unauthorized activities,” as he announced in a press release. The intrusion occurred following the compromise of a developer account and allowed a hacker to gain access to the development environment. The latter had managed to steal portions of source code and proprietary technical information from the firm, which nevertheless wanted to be reassuring. “Our products and services are operating normally,” she had declared. A priori, the identifiers and passwords of users did not seem to have been compromised. LastPass explained that it had “contained the issue, implemented additional security measures”and not have “witnessed other attempts at unauthorized activity”.
We recently detected unusual activity within portions of the LastPass development environment and have initiated an investigation and deployed containment measures. We have no evidence that this involved any access to customer data. More info: https://t.co/cV8atRsv6d pic.twitter.com/HtPLvK0uEC
—LastPass (@LastPass) August 25, 2022
After opening an investigation, the firm had, as a precaution, called on the company specialist in cybersecurity and forensic science Mandiant. She had discovered that the intrusion had been “limited” to a period of four days, and that “Our system design and controls prevented the threat actor from gaining access to customer data or encrypted password vaults.” She added that anyway, “we never store or know your master password.”
On November 30, the firm revealed in a new blog post that it had been the victim of a second cyberattack and, this time, some “customer information items” could have been consulted by the authors of the attack – the firm had remained rather vague concerning their nature and the number of users affected. According to the first information, the hackers had used data that had been recovered during the previous attack. LastPass claimed that “we work diligently to understand the scope of the incident and identify the specific information that was accessed“. The company also indicated that it had again called on Mandiant as part of its risk management program – which had already been the case after the previous attack – and notified the police. “As always, we’ll let you know as soon as we know more.“, she had promised. Still, this story seriously tarnishes the image of the company, which claims to be the number one password manager in the world …